Phishing: Don't Take the Bait!

Security incidents are common but can be prevented if you have a staff that knows what to look for. The most common attack organizations face is phishing. Here’s information you can use to ensure you and your staff don’t take the bait.

The average cyberattack for a small healthcare provider can cost upwards of $1 million in recovery. Download white paper, "Healthcare, Cybersecurity, and You."
btnLearnMore orange

Over 78% of organizations have experienced one or more serious cyber security incidents in 2018, and with ransomware scheduled to make a comeback in 2020 it’s important that your employees are armed with knowledge to protect your systems and themselves. The most common attacks are infections resulting from phishing emails, lack of confidential data through email, and targeted email attacks launched from compromised accounts.

Bad actors are frequently using web-based tactics and deploying diverse techniques to target human weakness – one of the most popular is sophisticated phishing attacks. These cyber-attacks masquerade as login verification emails, your account status being compromised, targeted ads, social media, and malicious browser extensions. With over 46,000 new phishing sites going live each day, there’s a misconception that existing security defenses are sufficient to fight the viruses that are out there, but this simply is not true. The greatest concern decision makers and executives face is having their log on credentials stolen through email-based phishing, computers getting infected with malware through email-based attacks, end points getting infected with ransomware, and senior executives credentials getting stolen through spearphishing. We want to walk you through the most common ways bad actors are trying to use phishing to infiltrate your system.

Email Based Phishing

Users continue to be the weak link in the security chain. Only 30% receive training once per year and only 21% are trained twice per year. This means that only one-half of users are not trained often enough to make them an effective barrier against security threats, especially against today’s sophisticated and legitimate looking attacks.

Most organizations security defenses are getting better over time at stopping malicious emails, but not at stopping CEO Fraud/Business Email Compromise and ransomware attempts. The problem is that while email security has been focused on the right hand of cyber-attacks, the left hand is still wreaking havoc and causing issues. We’ve protected one side but not the other.

Phishing is typically the most common threat that organizations face. A well-timed phishing email may trick a distracted employee into clicking a malicious link or attachment. These devious attempts may take the form of a company asking for more information for the latest order that was placed, a fake email from HR during benefits open enrollment or a fake iTunes receipt.

These phishing attempts lure victims into revealing their credentials for file sharing sites such as one drive, dropbox or google docs. Users will often be asked to enter their credentials to download an encrypted file, after which the credentials will be stolen, or malware will be installed on their endpoint. One of the ways you can check the validity of the email is to click the drop-down arrow at the top of your email. If the address looks suspicious or you don’t remember placing an order to that particular company, it’s always better to close the browser, reopen and navigate to the actual site or pick up the phone and call customer service directly to inquire about the email you received.

Malware

Malware infects computers and systems through a number of ways. The most common way is through emails whether that be through harmful embedded links or attachments that pose as an invoice or helpful piece of information.

Bad actors are also relying on social media posts and drive-by web attacks to infiltrate vulnerable systems. What’s frightening is that in this new age of digital technology, the new forms of malware are file-less in order to avoid detection by anti-virus software programs. Malicious sites are inserted into the html and javascript browser memory directly and do not require an .exe to operate. Which means the malware begins working in the background from the moment you open the suspicious email – so if you’re unable to verify where the email came from, it’s best just to dump it in the trash.

Ransomware

The phishing attacks that got everyone talking last year centered around ransomware. The dreaded email you accidentally open that encrypts and locks down your entire system until a fee or ransom is paid to lift the encryption and release your files. There are hospitals and healthcare facilities that are still operating on partial systems due to ransomware attacks that took over their systems in 2018. After a ransomware encryption has taken over your system there is little that can be done to de-crypt the files. Again, if you’re unable to verify where the email came from, it’s best to forward it to your IT department and delete the email from your system.

Spearphishing

Finally, the last type of cyber-attack we want to address is spearphishing. This is often the most successful and dangerous type of phishing on the web. Spearphishing requires social engineering and research acquired at a high level to ensure the bait is taken. The main goal of a spearphishing attack is to gain login credentials of a high-ranking C-Suite executive in order to compromise their company’s data and infrastructure or to gather their personal information to infiltrate their finances and possibly steal their identity.

Another attack vector with spearphishing is the bad actor sending an email that looks like it could be from your CEO or another high-level administrator asking you to verify your credentials or open an attachment. There is never an incident where double checking the validity of an email is unwise. There are no stupid questions, especially when it comes to cyber security and keeping the data of your company safe from outside attacks. When in doubt – verify.

As an employee you are the last line of defense against phishing attacks in your organization. If the firewall, IT department and spam folder have all failed – it is you, armed with knowledge, that stands between you and the bad actor gaining control of your company data. Remember to trust but verify – and always keep your company data protected even if it means asking a question that could be perceived as unintelligent. Keep your company’s best interest at heart, and if it looks suspicious – don’t take the bait.

Cited: 2019 Osterman Research White Paper “Addressing the Top 10 Security Issues Organizations Face”

If you enjoyed this post, you'll love our email updates!

Receive content on industry topics, upcoming webinars, current healthcare trends, and more!